On Fri, 13 Jun 2003 17:52:21 -0400, Tim Peeler wrote: >On Fri, Jun 13, 2003 at 05:15:28PM -0400, David B Harris wrote: >> >> On Fri, 13 Jun 2003 14:18:44 -0400 >> Tim Peeler <[EMAIL PROTECTED]> wrote: >> > In the last 4-5 days we have had 8 servers come under attack. We are >> > working frantically to keep ahead of these attacks. We have come to the >> > conclusion that the SSH in woody is likely vulnerable. [...] >> > We have not had time >> > to analyze where the exploit occurs in sshd, but we are very confident >> > that this is the location of the exploit. We have begun upgrading to >> > a backport of the testing version of ssh which appears to be helping. >> >> Could you provide your /etc/ssh/sshd_config, the version of your "ssh" >> package, and the output from 'debsums ssh'? Thanks. >> > >sshd_config for comprimized server attached, as well as the output of >debsums ssh > >SSH Version: 3.4p1-1 [snip]
From your sshd_config : > Protocol 2,1 Um, aren't there known *unfixable* problems with the SSH1 protocol ? http://www.cert.org/advisories/CA-2001-35.html http://list.cobalt.com/pipermail/cobalt-security/2001-November/003857.html http://groups.google.com/groups?q=ssh1+unfixable&hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=m1lsmv0faft.fsf%40syrinx.oankali.net&rnum=1 http://groups.google.com/groups?q=ssh1+deprecated&hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=Pine.LNX.4.10.10102101444180.22997-100000%40mystery.acr.fi&rnum=1 I may be wrong (not expert, etc) but I'm under the impression that SSH1 is unfixably broken and should not now be used - certainly we only have protocol 2 listed in all our server configs. Having protocol 1 second in the list doesn't stop a client from insisting on using it. Tatu Ylonen says in the 4th reference above : "The whole CRC32 vulnerability is once again a manifestation of certain fundamental problems in the SSH1 key exchange and message authentication mechanism. The SSH2 protocol was created to fix these (and other) problems. The old SSH1 protocol is deprecated, and people are strongly urged to move to using the SSH2 protocol. .. some cryptographers that I know have been speculating whether it would be possible to construct attack patterns that would get around the CRC32 deattack mechanism entirely. The original CRC32 attack works obtaining some known plaintext-ciphertext pairs, and constructing a special pattern that defeats the CRC32 that was used as MAC in SSH1. The deattack code detects the particular pattern used to defeat the CRC32 check. However, some people are speculating that there may be other patterns (e.g. involving more known plaintext-ciphertext pairs) that would also compensate for CRC32 but would not be detected by the deattack code. I cannot confirm whether this is the case, but I personally do not fully trust that the deattack code will be able to prevent all variations of the attack (even without the bug in the deattack code). The real fix is to move to using the SSH2 protocol." My 2p, etc. You probably already know all this. Do you *have* to have SSH1 enabled ? (Sorry if this is all off-target) Good luck Nick Boyce Bristol, UK
